An interesting topic came up at work today regarding the performance and security features of DNS servers. A colleague pointed me to an interesting new service launched by Norwegian Internet security firm Mnemonic. The service is a type of free and secure DNS service that protects users from malicious sites by resolving addresses to them to their “sinkhole” site (a web server with a blocking page). Sounds like a good idea, especially for users who needs that kind of protection agains themselves (e.g. your average Internet citizen).

Now, I’ve been a long time user of Google free public DNS offering and been really happy with the service, and as I’m not a huge fan of filtering DNS servers I probably won’t switch - unless the performance of Mnemonic’s service is better. I’ve always “felt” that Google DNS performed better than my ISP’s own DNS servers. Feeling, is as we know, a very, very dangerous thing to do in the IT world, which brings me to the point of this article. Let’s measure the performance and bring some raw, qualified data to the table!

Measure all the things meme

Let’s compare some public DNS servers with some ISP DNS servers! I’m using a tool called namebench and the following three are the once I’m interested in measuring:

So let’s run namebench with these nameserver IP’s as arguments (I’m leaving out Google’s name servers since those are my default). Namebench will automatically determine some other name servers to test too:

$ namebench

This outputs some numbers and graphs to stdout, but more importantly it also generates a HTML report with some numbers and graphs.

DNS performance

The above graph is the highlight of the report and there’s a couple of interesting things to note from this. First, clearly my ISP’s DNS servers are faster than Google’s (shown in the graph as Internal 192-1-1-). In fact, they are only beaten by OpenDNS (although by a very small margin). They are both about 25% faster than Google’s. These results clearly highlights the importance of measuring things, instead of just trusting your “feelings” or “senses”!

The second interesting thing to note is that Mnemonic’s DNS servers are among the slowest in this test, only “beaten” by DynGuide. They are in fact more than twice as slow as OpenDNS and Get. One might be tempted to attribute this to the fact that they are doing content filtering, but so does OpenDNS too. Of course I don’t know the implementation details of either provider’s content filtering technology, but I find it hard to believe that Mnemonic’s implementation is so much better than OpenDNS’ that it’s worth the sacrifice in performance.

As of today I’m switching my home network DNS servers to OpenDNS - I’ll consider the filtering a bonus for non-technical users on the network.